# Okta and OpenID Connect ## Requirement Administrator account in Okta. ## Supported features Immuta's OpenID Connect integration supports the following features * Service Provider (SP)-Initiated Authentication (SSO) Flow * Identity Provider (IDP)-Initiated Authentication (SSO) Flow ## Configuration steps ### 1 - Add the Immuta application in Okta 1. Log in to Okta as an Admin, navigate to the **Applications** tab, and click **Add Application**. ![](/files/4DR41NDy7hdxGHons9uY) 2. Search for **Immuta** in the search bar and click **Add**. 3. Choose a name for your integration and click **Next**. Then select the **OpenID Connect** button. 4. Scroll down and enter the **Base URL** for your Immuta tenant. 5. Enter the **IAM ID** for your Immuta OIDC integration (if you have not created an IAM ID, you will complete that step in the [next section](#id-2-add-openid-connect-in-immuta)). 6. Click **Done** and once the page reloads, navigate back to the **Sign On** tab and copy down the **Client ID** and **Client secret**. ![](/files/DieAhcBUJFfie3hzd3Yp) #### Attribute matching for SCIM Attribute matching allows you to determine how to uniquely identify a user in Okta and match that user in Immuta during login and provisioning. Immuta supports the following matching attributes in Okta: * **Users**: * `id` * `userName` * `email` * `displayName` * `emails[type eq "work"].value` * **Groups** * `id` * `displayName` Using any other attribute in Okta as a matching attribute results in an error. See the [Okta documentation](https://support.okta.com/help/s/article/Configuring-Custom-Username-Format-for-SAML-Applications?language=en_US) for details about attribute matching and how to configure it. ### 2 - Add OpenID Connect in Immuta 1. Log in to Immuta and click the **App Settings** icon in the left sidebar. 2. Click the **Add IAM** button and enter a **Display Name**. 3. Select **OpenID** from the Identity Provider Type dropdown menu. 4. If required, navigate back to Okta and enter the **IAM ID** below the **Base URL** then complete the steps from the Okta section. ![](/files/qwUeNqa9rOy2kXsZhkB6) ### 3 - Configure OpenID Connect 1. In the Identity Management section of the Immuta console, enter the **Client ID** and **Client Secret** you copied from Okta in the previous section. 2. Enter the following URL in the **Discover URL** field: `https:///.well-known/openid-configuration`. 3. Opt to add additional **Scopes**. 4. Opt to **Enable SCIM support for OpenID** by clicking the checkbox, which will generate a SCIM API Key. *Validate that the usernames in your IAM match those in your data platform (Snowflake, Databricks, etc.). If they are incorrect in the IAM or the casing doesn't match, fix the data platform username in the identity provider before configuring SCIM in Immuta.* * Copy the SCIM URL and API key generated, and then [save your changes](#user-content-fn-1)[^1]. * Validate the URL and credentials within the identity provider application. 5. In the **Profile Schema** section, map attributes in OpenID to automatically fill in a user's Immuta profile. *Note: Fields that you specify in this schema will not be editable by users within Immuta.* 6. Opt to **Allow Identity Provider Initiated Single Sign On** to use the IDP-Initiated SSO feature by selecting the checkbox. 7. Opt to **Migrate Users** from another IAM by selecting the checkbox. {% hint style="warning" %} **Multiple user accounts cannot have the same email address** If you register user accounts that have the same email address as an existing Immuta user account, the email field for the subsequent user accounts will be left empty. For more details, see the [Identity managers reference guide](/2024.3/people/section-contents/reference-guides/identity-managers.md#limitations). {% endhint %} ### 4 - Test connection and save configuration 1. Click the **Test Connection** button. 2. Once the connection is successful, click the **Test User Login** button. 3. Click **Save**. [^1]: You can either finish configuring your IAM on the app settings page before clicking save, or you can save now and return to the app settings page to edit the IAM configuration after saving. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://documentation.immuta.com/2024.3/people/section-contents/how-to-guides/openid-connect/okta-openid-connect.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.